Californians may have a new privacy initiative on their November 2020 ballot after the California Privacy Rights and Enforcement Act of 2020 (CPREA) was proposed last week. If enacted, this new law would revise and expand upon the California Consumer Privacy Act (CCPA) – which goes into effect in January – by, among other features, creating heightened standards around the use and disclosure of “sensitive personal information.” Under the newly proposed CPREA, “sensitive personal information” explicitly includes consumer health data and biometric information, as well as other data including social security numbers, government ID numbers, account log-ins, precise geolocation, and sexual orientation information. The CPREA prohibits selling such information without a consumer’s affirmative authorization, and provides consumers with the right to opt out of the use or disclosure of these types of information for advertising or marketing purposes.
The CCPA, as currently enacted, carves out certain data that is already regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Medical Information Act (CMIA), though the law does apply to “biometric data,” which includes “sleep, health, or exercise data that contain identifying information.” However, the CPREA would apply greater protections around health data and other data traditionally considered more sensitive.
The proposed initiative requires more than 623,000 signatures to qualify for the November 2020 ballot.
You can read more about the CPREA on our Technology Law Dispatch blog.